Fortinet black logo

CLI Reference

vpn ipsec {manualkey-interface | manualkey}

vpn ipsec {manualkey-interface | manualkey}

Use manualkey-interface to configure manual keys for a route-based (interface mode) IPsec VPN tunnel. Creating a route-based tunnel automatically creates a virtual IPsec interface on the FortiGate unit. This interface can be modified afterward using the system network interface command, however this command is only available in NAT mode.

You can also use manualkey to configure manual keys for IPsec tunnel-mode VPN tunnels that connect a FortiGate unit and a remote client or gateway that is also using manual key. Because the keys are created when you configure the tunnel, no negotiation is required for the VPN tunnel to start. However, the remote client or gateway must use the same encryption and authentication algorithms and keys.

Note: To avoid confusion, the various similar authentication and encryption entries vary in availability, depending on which command is used. Among others, the following authentication/encryption entries are not available under the manualkey command:

  • auth-alg
  • enc-alg
  • auth-key
  • enc-key
  • local-spi
  • remote-spi
config vpn ipsec manualkey-interface
    edit {name}
    # Configure IPsec manual keys.
        set name {string}   IPsec tunnel name. size[15]
        set interface {string}   Name of the physical, aggregate, or VLAN interface. size[15] - datasource(s): system.interface.name
        set ip-version {4 | 6}   IP version to use for VPN interface.
                4  Use IPv4 addressing for gateways.
                6  Use IPv6 addressing for gateways.
        set addr-type {4 | 6}   IP version to use for IP packets.
                4  Use IPv4 addressing for IP packets.
                6  Use IPv6 addressing for IP packets.
        set remote-gw {ipv4 address}   IPv4 address of the remote gateway's external interface.
        set remote-gw6 {ipv6 address}   Remote IPv6 address of VPN gateway.
        set local-gw {ipv4 address any}   IPv4 address of the local gateway's external interface.
        set local-gw6 {ipv6 address}   Local IPv6 address of VPN gateway.
        set auth-alg {option}   Authentication algorithm. Must be the same for both ends of the tunnel.
                null    null
                md5     md5
                sha1    sha1
                sha256  sha256
                sha384  sha384
                sha512  sha512
        set enc-alg {option}   Encryption algorithm. Must be the same for both ends of the tunnel.
                null     null
                des      des
                3des     3des
                aes128   aes128
                aes192   aes192
                aes256   aes256
                aria128  aria128
                aria192  aria192
                aria256  aria256
                seed     seed
        set auth-key {string}   Hexadecimal authentication key in 16-digit (8-byte) segments separated by hyphens.
        set enc-key {string}   Hexadecimal encryption key in 16-digit (8-byte) segments separated by hyphens.
        set local-spi {string}   Local SPI, a hexadecimal 8-digit (4-byte) tag. Discerns between two traffic streams with different encryption rules.
        set remote-spi {string}   Remote SPI, a hexadecimal 8-digit (4-byte) tag. Discerns between two traffic streams with different encryption rules.
        set npu-offload {enable | disable}   Enable/disable offloading IPsec VPN manual key sessions to NPUs.
    next
end
config vpn ipsec manualkey
    edit {name}
    # Configure IPsec manual keys.
        set name {string}   IPsec tunnel name. size[35]
        set interface {string}   Name of the physical, aggregate, or VLAN interface. size[15] - datasource(s): system.interface.name
        set remote-gw {ipv4 address}   Peer gateway.
        set local-gw {ipv4 address any}   Local gateway.
        set authentication {option}   Authentication algorithm. Must be the same for both ends of the tunnel.
                null    Null.
                md5     MD5.
                sha1    SHA1.
                sha256  SHA256.
                sha384  SHA384.
                sha512  SHA512.
        set encryption {option}   Encryption algorithm. Must be the same for both ends of the tunnel.
                null     Null.
                des      DES.
                3des     3DES.
                aes128   AES128.
                aes192   AES192.
                aes256   AES256.
                aria128  ARIA128.
                aria192  ARIA192.
                aria256  ARIA256.
                seed     Seed.
        set authkey {string}   Hexadecimal authentication key in 16-digit (8-byte) segments separated by hyphens.
        set enckey {string}   Hexadecimal encryption key in 16-digit (8-byte) segments separated by hyphens.
        set localspi {string}   Local SPI, a hexadecimal 8-digit (4-byte) tag. Discerns between two traffic streams with different encryption rules.
        set remotespi {string}   Remote SPI, a hexadecimal 8-digit (4-byte) tag. Discerns between two traffic streams with different encryption rules.
        set npu-offload {enable | disable}   Enable/disable NPU offloading.
    next
end

Additional information

The following section is for those options that require additional explanation.

interface <name>

The name of the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.

ip-version {4 | 6}

Enter 4 (by default) for IPv4 or 6 for IPv6 encapsulation for gateways.

addr-type {4 | 6}

Enter 4 (by default) for IPv4 or 6 for IPv6 encapsulation for IP packets.

remote-gw <ip-addr>

The IP address of the remote gateway's external interface.

local-gw [sec-ip-addr]

An optional secondary IP address of the interface selected in the interface entry used for the local end of the VPN tunnel.

auth-alg <algorithm>

Enter one of the following authentication algorithms:

  • null
  • md5: Message Digest (MD) 5, the hash algorithm developed by RSA Data Security.
  • sha1: Secure Hash Algorithm (SHA) 1 producing a 160-bit message digest.
  • sha256: SHA 2 producing a 256-bit message digest.
  • sha384: SHA 2 producing a 384-bit message digest.
  • sha512: SHA 2 producing a 512-bit message digest.

Make sure to use the same algorithm at both ends of the tunnel.

Note: The auth-alg and enc-alg entries cannot both be null.

enc-alg <algorithm>

Enter one of the following encryption algorithms:

  • null
  • des: Digital Encryption Standard (DES), a 64-bit block algorithm that uses a 56-bit key.
  • 3des: Triple-DES, in which plain text is encrypted three times by three keys.
  • aes128: A 128-bit block algorithm that uses a 128-bit key.
  • aes192: A 128-bit block algorithm that uses a 192-bit key.
  • aes256: A 128-bit block algorithm that uses a 256-bit key.
  • aria128: A 128-bit Korean block algorithm that uses a 128-bit key.
  • aris192: A 128-bit Korean block algorithm that uses a 192-bit key.
  • aria256: A 128-bit Korean block algorithm that uses a 256-bit key.
  • seed: A 128-bit Korean block algorithm that uses a 128-bit key.

The ARIA algorithm may not be available on some FortiGate models. Make sure to use the same algorithm at both ends of the tunnel.

Note: The auth-alg and enc-alg entries cannot both be null.

auth-key <key>

Note: This entry is only available when auth-alg is set to either md5, sha1, or sha256. The authentication key in 16-digit (8-byte) segments separated by hyphens. For an MD5 key, enter a 32-digit (16-byte) hexadecimal number: eg: 0102030405060708-090a0b0c0d0e0f10

  • For a SHA1 key, enter a 40-digit (20-byte) hexadecimal number. The final segment is only 8-digits (4-bytes).
  • For a SHA256 key, enter a 64-digit (32-byte) hexadecimal number.

Digits can range between 0-9 and a-f. Make sure to use the same key at both ends of the tunnel.

enc-key <key>

Note: This entry is only available when enc-alg is set to either des, 3des, aes128, aes192, or aes256. The encryption key in 16-digit (8-byte) segments separated by hyphens.

  • For a DES key, enter a 16-digit (8-byte) hexadecimal number.
  • For a 3DES key, enter a 48-digit (24-byte) hexadecimal number.
  • For an AES128 key, enter a 32-digit (16-byte) hexadecimal number.
  • For an AES192 key, enter a 48-digit (24-byte) hexadecimal number.
  • For an AES256 key, enter a 64-digit (32-byte) hexadecimal number.

Digits can range between 0-9 and a-f. Make sure to use the same key at both ends of the tunnel.

local-spi <hex-number>

The local Security Parameter Index (SPI), a tag that helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use. Enter an 8-digit (4-byte) hexadecimal number in the range of 100 to FFFFFFFF. This number must be added to the remote SPI at the opposite end of the tunnel.

remote-spi <hex-number>

The remote SPI. Enter an 8-digit (4-byte) hexadecimal number in the range of 100 to FFFFFFFF. This number must be added to the local SPI at the opposite end of the tunnel.

authentication <algorithm>

Enter one of the following authentication algorithms:

  • null
  • md5: Message Digest (MD) 5, the hash algorithm developed by RSA Data Security.
  • sha1: Secure Hash Algorithm (SHA) 1 producing a 160-bit message digest.
  • sha256: SHA 2 producing a 256-bit message digest.
  • sha384: SHA 2 producing a 384-bit message digest.
  • sha512: SHA 2 producing a 512-bit message digest.

Make sure to use the same algorithm at both ends of the tunnel.

Note: The authentication and encryption entries cannot both be null.

encryption <algorithm>

Enter one of the following encryption algorithms:

  • null
  • des: Digital Encryption Standard (DES), a 64-bit block algorithm that uses a 56-bit key.
  • 3des: Triple-DES, in which plain text is encrypted three times by three keys.
  • aes128: A 128-bit block algorithm that uses a 128-bit key.
  • aes192: A 128-bit block algorithm that uses a 192-bit key.
  • aes256: A 128-bit block algorithm that uses a 256-bit key.
  • aria128: A 128-bit Korean block algorithm that uses a 128-bit key.
  • aris192: A 128-bit Korean block algorithm that uses a 192-bit key.
  • aria256: A 128-bit Korean block algorithm that uses a 256-bit key.
  • seed: A 128-bit Korean block algorithm that uses a 128-bit key.

The ARIA and seed algorithms may not be available on some FortiGate models. Make sure to use the same algorithm at both ends of the tunnel.

Note: The authentication and encryption entries cannot both be null.

authkey <key>

Note: This entry is only available when authentication is set to either md5, sha1, or sha256. The authentication key in 16-digit (8-byte) segments separated by hyphens. For an MD5 key, enter a 32-digit (16-byte) hexadecimal number: eg: 0102030405060708-090a0b0c0d0e0f10

  • For a SHA1 key, enter a 40-digit (20-byte) hexadecimal number. The final segment is only 8-digits (4-bytes).
  • For a SHA256 key, enter a 64-digit (32-byte) hexadecimal number.

Digits can range between 0-9 and a-f. Make sure to use the same key at both ends of the tunnel.

enckey <key>

Note: This entry is only available when encryption is set to either des, 3des, aes128, aes192, or aes256. The encryption key in 16-digit (8-byte) segments separated by hyphens.

  • For a DES key, enter a 16-digit (8-byte) hexadecimal number.
  • For a 3DES key, enter a 48-digit (24-byte) hexadecimal number.
  • For an AES128 key, enter a 32-digit (16-byte) hexadecimal number.
  • For an AES192 key, enter a 48-digit (24-byte) hexadecimal number.
  • For an AES256 key, enter a 64-digit (32-byte) hexadecimal number.

Digits can range between 0-9 and a-f. Make sure to use the same key at both ends of the tunnel.

localspi <hex-number>

The local Security Parameter Index (SPI), a tag that helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use. Enter an 8-digit (4-byte) hexadecimal number in the range of 100 to FFFFFFFF. This number must be added to the remote SPI at the opposite end of the tunnel.

remotespi <hex-number>

The remote SPI. Enter an 8-digit (4-byte) hexadecimal number in the range of 100 to FFFFFFFF. This number must be added to the local SPI at the opposite end of the tunnel.

npu-offload {enable | disable}

Enable (by default) or disable offloading of VPN session to a network processing unit (NPU).

vpn ipsec {manualkey-interface | manualkey}

Use manualkey-interface to configure manual keys for a route-based (interface mode) IPsec VPN tunnel. Creating a route-based tunnel automatically creates a virtual IPsec interface on the FortiGate unit. This interface can be modified afterward using the system network interface command, however this command is only available in NAT mode.

You can also use manualkey to configure manual keys for IPsec tunnel-mode VPN tunnels that connect a FortiGate unit and a remote client or gateway that is also using manual key. Because the keys are created when you configure the tunnel, no negotiation is required for the VPN tunnel to start. However, the remote client or gateway must use the same encryption and authentication algorithms and keys.

Note: To avoid confusion, the various similar authentication and encryption entries vary in availability, depending on which command is used. Among others, the following authentication/encryption entries are not available under the manualkey command:

  • auth-alg
  • enc-alg
  • auth-key
  • enc-key
  • local-spi
  • remote-spi
config vpn ipsec manualkey-interface
    edit {name}
    # Configure IPsec manual keys.
        set name {string}   IPsec tunnel name. size[15]
        set interface {string}   Name of the physical, aggregate, or VLAN interface. size[15] - datasource(s): system.interface.name
        set ip-version {4 | 6}   IP version to use for VPN interface.
                4  Use IPv4 addressing for gateways.
                6  Use IPv6 addressing for gateways.
        set addr-type {4 | 6}   IP version to use for IP packets.
                4  Use IPv4 addressing for IP packets.
                6  Use IPv6 addressing for IP packets.
        set remote-gw {ipv4 address}   IPv4 address of the remote gateway's external interface.
        set remote-gw6 {ipv6 address}   Remote IPv6 address of VPN gateway.
        set local-gw {ipv4 address any}   IPv4 address of the local gateway's external interface.
        set local-gw6 {ipv6 address}   Local IPv6 address of VPN gateway.
        set auth-alg {option}   Authentication algorithm. Must be the same for both ends of the tunnel.
                null    null
                md5     md5
                sha1    sha1
                sha256  sha256
                sha384  sha384
                sha512  sha512
        set enc-alg {option}   Encryption algorithm. Must be the same for both ends of the tunnel.
                null     null
                des      des
                3des     3des
                aes128   aes128
                aes192   aes192
                aes256   aes256
                aria128  aria128
                aria192  aria192
                aria256  aria256
                seed     seed
        set auth-key {string}   Hexadecimal authentication key in 16-digit (8-byte) segments separated by hyphens.
        set enc-key {string}   Hexadecimal encryption key in 16-digit (8-byte) segments separated by hyphens.
        set local-spi {string}   Local SPI, a hexadecimal 8-digit (4-byte) tag. Discerns between two traffic streams with different encryption rules.
        set remote-spi {string}   Remote SPI, a hexadecimal 8-digit (4-byte) tag. Discerns between two traffic streams with different encryption rules.
        set npu-offload {enable | disable}   Enable/disable offloading IPsec VPN manual key sessions to NPUs.
    next
end
config vpn ipsec manualkey
    edit {name}
    # Configure IPsec manual keys.
        set name {string}   IPsec tunnel name. size[35]
        set interface {string}   Name of the physical, aggregate, or VLAN interface. size[15] - datasource(s): system.interface.name
        set remote-gw {ipv4 address}   Peer gateway.
        set local-gw {ipv4 address any}   Local gateway.
        set authentication {option}   Authentication algorithm. Must be the same for both ends of the tunnel.
                null    Null.
                md5     MD5.
                sha1    SHA1.
                sha256  SHA256.
                sha384  SHA384.
                sha512  SHA512.
        set encryption {option}   Encryption algorithm. Must be the same for both ends of the tunnel.
                null     Null.
                des      DES.
                3des     3DES.
                aes128   AES128.
                aes192   AES192.
                aes256   AES256.
                aria128  ARIA128.
                aria192  ARIA192.
                aria256  ARIA256.
                seed     Seed.
        set authkey {string}   Hexadecimal authentication key in 16-digit (8-byte) segments separated by hyphens.
        set enckey {string}   Hexadecimal encryption key in 16-digit (8-byte) segments separated by hyphens.
        set localspi {string}   Local SPI, a hexadecimal 8-digit (4-byte) tag. Discerns between two traffic streams with different encryption rules.
        set remotespi {string}   Remote SPI, a hexadecimal 8-digit (4-byte) tag. Discerns between two traffic streams with different encryption rules.
        set npu-offload {enable | disable}   Enable/disable NPU offloading.
    next
end

Additional information

The following section is for those options that require additional explanation.

interface <name>

The name of the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.

ip-version {4 | 6}

Enter 4 (by default) for IPv4 or 6 for IPv6 encapsulation for gateways.

addr-type {4 | 6}

Enter 4 (by default) for IPv4 or 6 for IPv6 encapsulation for IP packets.

remote-gw <ip-addr>

The IP address of the remote gateway's external interface.

local-gw [sec-ip-addr]

An optional secondary IP address of the interface selected in the interface entry used for the local end of the VPN tunnel.

auth-alg <algorithm>

Enter one of the following authentication algorithms:

  • null
  • md5: Message Digest (MD) 5, the hash algorithm developed by RSA Data Security.
  • sha1: Secure Hash Algorithm (SHA) 1 producing a 160-bit message digest.
  • sha256: SHA 2 producing a 256-bit message digest.
  • sha384: SHA 2 producing a 384-bit message digest.
  • sha512: SHA 2 producing a 512-bit message digest.

Make sure to use the same algorithm at both ends of the tunnel.

Note: The auth-alg and enc-alg entries cannot both be null.

enc-alg <algorithm>

Enter one of the following encryption algorithms:

  • null
  • des: Digital Encryption Standard (DES), a 64-bit block algorithm that uses a 56-bit key.
  • 3des: Triple-DES, in which plain text is encrypted three times by three keys.
  • aes128: A 128-bit block algorithm that uses a 128-bit key.
  • aes192: A 128-bit block algorithm that uses a 192-bit key.
  • aes256: A 128-bit block algorithm that uses a 256-bit key.
  • aria128: A 128-bit Korean block algorithm that uses a 128-bit key.
  • aris192: A 128-bit Korean block algorithm that uses a 192-bit key.
  • aria256: A 128-bit Korean block algorithm that uses a 256-bit key.
  • seed: A 128-bit Korean block algorithm that uses a 128-bit key.

The ARIA algorithm may not be available on some FortiGate models. Make sure to use the same algorithm at both ends of the tunnel.

Note: The auth-alg and enc-alg entries cannot both be null.

auth-key <key>

Note: This entry is only available when auth-alg is set to either md5, sha1, or sha256. The authentication key in 16-digit (8-byte) segments separated by hyphens. For an MD5 key, enter a 32-digit (16-byte) hexadecimal number: eg: 0102030405060708-090a0b0c0d0e0f10

  • For a SHA1 key, enter a 40-digit (20-byte) hexadecimal number. The final segment is only 8-digits (4-bytes).
  • For a SHA256 key, enter a 64-digit (32-byte) hexadecimal number.

Digits can range between 0-9 and a-f. Make sure to use the same key at both ends of the tunnel.

enc-key <key>

Note: This entry is only available when enc-alg is set to either des, 3des, aes128, aes192, or aes256. The encryption key in 16-digit (8-byte) segments separated by hyphens.

  • For a DES key, enter a 16-digit (8-byte) hexadecimal number.
  • For a 3DES key, enter a 48-digit (24-byte) hexadecimal number.
  • For an AES128 key, enter a 32-digit (16-byte) hexadecimal number.
  • For an AES192 key, enter a 48-digit (24-byte) hexadecimal number.
  • For an AES256 key, enter a 64-digit (32-byte) hexadecimal number.

Digits can range between 0-9 and a-f. Make sure to use the same key at both ends of the tunnel.

local-spi <hex-number>

The local Security Parameter Index (SPI), a tag that helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use. Enter an 8-digit (4-byte) hexadecimal number in the range of 100 to FFFFFFFF. This number must be added to the remote SPI at the opposite end of the tunnel.

remote-spi <hex-number>

The remote SPI. Enter an 8-digit (4-byte) hexadecimal number in the range of 100 to FFFFFFFF. This number must be added to the local SPI at the opposite end of the tunnel.

authentication <algorithm>

Enter one of the following authentication algorithms:

  • null
  • md5: Message Digest (MD) 5, the hash algorithm developed by RSA Data Security.
  • sha1: Secure Hash Algorithm (SHA) 1 producing a 160-bit message digest.
  • sha256: SHA 2 producing a 256-bit message digest.
  • sha384: SHA 2 producing a 384-bit message digest.
  • sha512: SHA 2 producing a 512-bit message digest.

Make sure to use the same algorithm at both ends of the tunnel.

Note: The authentication and encryption entries cannot both be null.

encryption <algorithm>

Enter one of the following encryption algorithms:

  • null
  • des: Digital Encryption Standard (DES), a 64-bit block algorithm that uses a 56-bit key.
  • 3des: Triple-DES, in which plain text is encrypted three times by three keys.
  • aes128: A 128-bit block algorithm that uses a 128-bit key.
  • aes192: A 128-bit block algorithm that uses a 192-bit key.
  • aes256: A 128-bit block algorithm that uses a 256-bit key.
  • aria128: A 128-bit Korean block algorithm that uses a 128-bit key.
  • aris192: A 128-bit Korean block algorithm that uses a 192-bit key.
  • aria256: A 128-bit Korean block algorithm that uses a 256-bit key.
  • seed: A 128-bit Korean block algorithm that uses a 128-bit key.

The ARIA and seed algorithms may not be available on some FortiGate models. Make sure to use the same algorithm at both ends of the tunnel.

Note: The authentication and encryption entries cannot both be null.

authkey <key>

Note: This entry is only available when authentication is set to either md5, sha1, or sha256. The authentication key in 16-digit (8-byte) segments separated by hyphens. For an MD5 key, enter a 32-digit (16-byte) hexadecimal number: eg: 0102030405060708-090a0b0c0d0e0f10

  • For a SHA1 key, enter a 40-digit (20-byte) hexadecimal number. The final segment is only 8-digits (4-bytes).
  • For a SHA256 key, enter a 64-digit (32-byte) hexadecimal number.

Digits can range between 0-9 and a-f. Make sure to use the same key at both ends of the tunnel.

enckey <key>

Note: This entry is only available when encryption is set to either des, 3des, aes128, aes192, or aes256. The encryption key in 16-digit (8-byte) segments separated by hyphens.

  • For a DES key, enter a 16-digit (8-byte) hexadecimal number.
  • For a 3DES key, enter a 48-digit (24-byte) hexadecimal number.
  • For an AES128 key, enter a 32-digit (16-byte) hexadecimal number.
  • For an AES192 key, enter a 48-digit (24-byte) hexadecimal number.
  • For an AES256 key, enter a 64-digit (32-byte) hexadecimal number.

Digits can range between 0-9 and a-f. Make sure to use the same key at both ends of the tunnel.

localspi <hex-number>

The local Security Parameter Index (SPI), a tag that helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use. Enter an 8-digit (4-byte) hexadecimal number in the range of 100 to FFFFFFFF. This number must be added to the remote SPI at the opposite end of the tunnel.

remotespi <hex-number>

The remote SPI. Enter an 8-digit (4-byte) hexadecimal number in the range of 100 to FFFFFFFF. This number must be added to the local SPI at the opposite end of the tunnel.

npu-offload {enable | disable}

Enable (by default) or disable offloading of VPN session to a network processing unit (NPU).